The Unseen Security Dangers in Financial Web Sites

What makes you think your financial institution’s web site is truly secure?

Millions of identities, credit card numbers and user login credentials are still being compromised every year by hackers getting into web sites we believe are secure. This valuable information will, undoubtedly, end up in the wrong hands.

Hindsight tells us that many of these web sites were obvious targets for cyber thieves just looking to make a few million. These web site owners were among the many who thanked the cyber gods that they were too far under the radar to attract a criminal’s attention. Unfortunately, this security-through-obscurity thinking may be exactly the reason these less-than-mainstream sites become unwilling donors to the cyber crime fund.

While security ostriches are rampant in many industries, I continue to be surprised at the naiveté in the otherwise sophisticated financial sector. This includes banks, credit unions, brokerage firms and mortgage companies – all environments where the public feels a sense of security, perhaps because we all need to believe our monies are safe behind the brick walls and vaults that their web sites represent.

That was the mindset of a large credit union I have worked with, post-hack. Let me share the security dangers that they and other financial institutions with whom I have worked are now painfully aware exist in the financial sector.

An important note: Even a so-called brochure web site, the kind customers visit for information, blog entries, CD and Money Market rates but not necessarily personal financial transactions, are at risk; many of these provide links to sites that process actual transactions, which makes them vulnerable.

Unseen Risks

Let’s start by remembering when you used to receive bank statements by mail. Think about a 1980s version of a hacker with access to the mailing company that sent these statements – someone who deviously replaces the institution’s contact phone number with his own.

When a bank customer called the hacker’s contact number, the statement-hacker could milk the conversation for account information, since the customer thought they had called the bank. Once the customer’s information was collected, the hacker visited the bank with the correct account numbers on a withdrawal slip, maybe flashed some fake ID (who doesn’t remember those fake driver’s licenses we used for our underage drinking in college) and then walked out with cash.

The basis of the scam was, of course, simple redirection from a trusted source: in this case, a false phone number on an otherwise legitimate bank statement.

The cyber version of this scam is remarkably similar. A cyber hacker gains access to a bank’s web site code and changes the contact information. Same drill: The hacker collects private information during the call, then later uses it to pose as the customer. In this case, however, the cyber criminal will use the collected information to access the customer’s online financial accounts. No fake ID needed!

The substantial differences between the paper and cyber versions of this redirection scam are (a) ease of implementation and (b) anonymity. Statistics indicate that 70% of all sites contain critical vulnerabilities – meaning it is embarrassingly easy to hack into most web sites.

Now let’s take the web site vandalism up a few notches. Instead of just changing the ‘call your bank’ number on the site, the cyber thief modifies each of the site’s internal links. These links, which normally direct the customer to other online banking sites, will now redirect them to identical-looking malicious sites that encourage the customer to enter his or her bank ID and password. Again, it’s all about trust; the customer started from the ‘real’ bank site, so why wouldn’t the embedded links be just as secure?

Instead of a few random calls from confused customers – a time-intensive undertaking – cyber thieves are constantly collecting customer credentials from these bogus sites with little further effort. In the days, or even hours, before the site modifications are discovered, the compromised customers have had their online accounts accessed and cleaned out.

One more hacking technique – perhaps the most deadly – and then we’re done. A common security flaw in many financial brochure-type web sites is called SQL (“sequel”) injection – a hacking method that takes advantage of security flaws in common input fields such as search and login. This flaw gives even a moderately skilled hacker access to the web site’s underlying database. In its most benign form, a SQL injection flaw will allow a hacker to change or delete the entire web site database. In its most obnoxious form, a SQL injection may allow a hacker access to the entire SQL server or internal network – perhaps compromising extremely private data. Instead of waiting for individual misdirected customers to enter their personal information, the hacker gets to collect information about all of the bank’s customers at once.

It is important to remember that the security scams and hacks described above revolve around brochure sites that are too often designed and built solely for their artistic value and social media use. Substantial funds are spent on image and brand, with little or no consideration given to the possibility that a breach into one of these security-fragile sites might taint the public image of the financial institution for years to come.

A Model of Security Awareness

Our first contact with a local credit union began with a desire to redo branding – therefore the need for a new brochure web site. Their two requirements – of equal importance in their eyes – were visual appeal to a rapidly expanding client base and absolute security.

The concern about visual appeal is not unique to this or any other financial intuition. A demand for security is, unfortunately, rare.

It is my belief that institutions reach this point for one of two reasons. Either some security disaster has occurred in the recent past and the company as a whole has vowed it will never happen again, or company management has wisely skipped the ‘after the breach’ phase and vowed no security disaster will happen on its watch.

In either case, the commitment to security cannot be taken lightly. A favorite quote from one of Microsoft’s security gurus, Scott Culp, is, “Eternal vigilance is the price of security.” In the case of this rebranded credit union brochure site, not only did the credit union place security as one of the primary requirements, but they also hired an outside security testing company to evaluate the final product before it went live.

To add a bit of interest to this tale, this credit union had suffered a thoroughly embarrassing hack on their previous site just a few years ago. Nothing fancy, just a simple page modification on the public brochure site redirecting visitors to a realistic bogus page that collected customer account information.

They vowed a security breach will never happen again, and backed it up with actions.

If We Look Small, We’ll be OK

For every security-aware financial institution I meet, ten look me in the eye and tell me their brochure site is just fine. They have no security concern because, they say, no real information is collected within the brochure site and the ‘serious’ work is done by security-hardened online financial sites.

They are half right. These financial companies have made the correct move to ‘farm out’ the really hard security operations to the professionals.

The half they missed, however, is the protection of the trust factor that has been intentionally built into their brochure sites. Every effort has been made for these sites to project confidence and security.

These brochure sites are content-oriented and often built on content management systems (CMS) that are either developed by a web design company or selected from several popular CMS options, such as WordPress and MODX. While I’ve seen some great, secure implementations of these, it takes a massive amount of work to get them right, and security is almost never in the skill set of the design firm setting up the site.

Regardless of the source and implementation of the brochure site, financial companies infrequently have them adequately tested for security. In a world where cyber crime is a billion-dollar industry, the complexity of security attack methods almost guarantees that an untested web site is one with critical security flaws.

The down side of any financial institution security breach is certainly a loss of public confidence and may result is substantial government penalties.

Naiveté never translates into quality. These unassuming financial companies are just setting themselves up for a security breach.

Some Advice for Financial Institutions

This is my favorite security statement, reinforced more times than I can count:

Businesses end up with a lack of security because they never, ever ask about it.

Web site design firms and internal and external marketing departments focus on the customer experience, and rightly so. They almost never consider security and, even if they do, rarely have the means to build a secure web site. Even more importantly, they typically have no way to test for security even if they are aware of its value.

Make no mistake: If your company, whether it be a financial institution or not, has a brochure web site, it is very likely a potential security risk.

My strong suggestion for anyone working to build a new web site or caring for an existing one (brochure or otherwise) is to ask the question, Is it secure? If the answer is no or not sure – get it remediated, soon. If the answer is yes, ask for security testing results that make sure you’re right.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.